SlideShare une entreprise Scribd logo

Web App Security Using Oracle Products

S
sdeconf

Web Application Security

Technologie
1  sur  57
Télécharger pour lire hors ligne
Web Application Security Using Oracle products as an example 1
Syllabus • It seems that organizations are taking security more and more seriously these days. One motivator is avoiding embarrassment which can collapse the organization in a hurry. The architecture of a web based application has a number of complexities when it comes to implementing security properly. Jonathan will talk about some of these complexities and identify a number of considerations that can save you time and money. In particular, he will explain how the Oracle suite of products integrate and use that as a concrete example. Architects, developers, and DBAs will learn from topics such as virtual private databases, single sign on, cookies, Hibernate interactions, and role-based security. 2
Setting the stage … • Who is in the audience? Which one are you? • Architect • Database Administrator (DBA) • Developer • Java • Other • Other • Goals: • General Understanding • Advice, related to Security in a web application • Drill-in into to some unobvious specifics • Questions? 3
What’s the big deal? We have some challenges … • Technology is more susceptible and more complicated • unwanted system access • localized damage • global damage • how do decision makers respond to pain? ~~ rational thinking • Data (and Process) Ownership Trends • Silos  Sharing • Terminology confusion ~~ talk about the same thing: Einstein quote • Organizations  Products AND Services • Potential huge costs, time and $$$$ • Educate and then ask, are you sure? 4
Legal stuff … • Legal questions can delay a project • submit questions early as possible • get feedback early as possible • legal requirements are hard and fast – know them early to avoid expensive rework 5
LEAN Agile Manage Did someone say something about Security? 6
Web Application Architecture 7
Step 1 • www.TeenagerExpenses.mb.ca • Ask the Domain Name Server to provide a machine readable address, call an Internet Protocol (IP) Address 8
Step 2 • www.TeenagerExpenses.mb.ca = 233.168.324.234 9
Step 3 • Reverse Proxy (Oracle’s WebCache) • Guard at the door into the architecture • In the middle of the DMZ sandwich • Robust solutions include: • Caching of static “public” content (picture files, Javascript) • Load Balancing • Decryption of HTTPS requests … more on that later 10
Step 4 • The Web Application Server is the brains with all the business logic --- it knows what to with the HTTP GET request 11
Step 5 • The server needs to first get a list of teenagers, and so, get it from the server responsible for persisting information 12
Step 6 • Teenager Result Set: • Raelene • Jenna 13
Step 7 • Let’s send HTTP Response of HTML: <Label>Teenager Name:</Label> <SelectionBox> <Selection>Raelene</Selection> <Selection>Jenna</Selection> … 14
Step 8 15
Step 9 16
Web Application Architecture 17
Web Application Architecture 18
Audit Columns • Every table in the database include the following columns: • A_CREATED_BY • A_CREATED_TIMESTAMP • A_MODIFIED_BY • A_MODIFIED_TIMESTAMP • Know the affects of the Sarbanes-Oxley act • Create a companion history table for every table in the database. It will be a complete history of “snapshots”. These tables have the exact same columns plus a timestamp column. (Data is almost free!) 19
Web Application Architecture We now going to concentrate on the Database. Will talk about: • Virtual Private Databases • Oracle Label Security 20
Database Tables • TEENAGER TEENAGER_ID TEENAGER_NAME 1 Raelene 2 Jenna • EXPENSE TEENAGER DETAILS AMOUNT DATE _ID 1 Cell 45.00 Oct 1 1 Gum 1.35 Oct 6 2 Help Haiti 4.00 Oct 8 21
Raelene is allowed to see this … • TEENAGER TEENAGER_ID TEENAGER_NAME 1 Raelene 2 Jenna • EXPENSE TEENAGER DETAILS AMOUNT DATE _ID 1 Cell 45.00 Oct 1 1 Gum 1.35 Oct 6 2 Help Haiti 4.00 Oct 8 22
Jenna is allowed to see this … • TEENAGER TEENAGER_ID TEENAGER_NAME 1 Raelene 2 Jenna • EXPENSE TEENAGER DETAILS AMOUNT DATE _ID 1 Cell 45.00 Oct 1 1 Gum 1.35 Oct 6 2 Help Haiti 4.00 Oct 8 23
A VPD • A Virtual Private Database (VPD) = restricts access on horizontal slices • Oracle Label Security is an implementation of a VPD 24
Who can view/edit what data? • Label Security allows you to create a policy on the TEENAGER_ID TEENAGER _ID = 1 100 (Raelene) Raelene Parents TEENAGER (God-like access) _ID = 2 (Jenna) 200 Jenna 25
Database Tables with Label Security column added … • TEENAGER TEENAGER_ID TEENAGER_NAME 1 Raelene 2 Jenna • EXPENSE TEENAGER DETAILS AMOUNT DATE LS_ _ID TEENAGER 1 Cell 45.00 Oct 1 100 1 Gum 1.35 Oct 6 100 2 Help Haiti 4.00 Oct 8 200 26
Jenna will get a different answer than Raelene and the Parents! • TEENAGER SELECT sum(amount) FROM EXPENSE TEENAGER_ID TEENAGER_NAME 1 Raelene 2 Jenna • EXPENSE TEENAGER DETAILS AMOUNT DATE LS_ _ID TEENAGER 1 Cell 45.00 Oct 1 100 1 Gum 1.35 Oct 6 100 2 Help Haiti 4.00 Oct 8 200 27
Jenna will get a different answer than Raelene and the Parents! • TEENAGER SELECT sum(amount) FROM EXPENSE TEENAGER_ID TEENAGER_NAME 1 Raelene WHERE LS_TEENAGER IN (100) 2 Jenna • EXPENSE TEENAGER DETAILS AMOUNT DATE LS_ _ID TEENAGER 1 Cell 45.00 Oct 1 100 1 Gum 1.35 Oct 6 100 2 Help Haiti 4.00 Oct 8 200 28
Parents type in … • TEENAGER SELECT sum(amount) FROM EXPENSE TEENAGER_ID TEENAGER_NAME 1 Raelene 2 Jenna • EXPENSE TEENAGER DETAILS AMOUNT DATE LS_ _ID TEENAGER 1 Cell 45.00 Oct 1 100 1 Gum 1.35 Oct 6 100 2 Help Haiti 4.00 Oct 8 200 29
… and this what happens under the covers: • TEENAGER SELECT sum(amount) FROM EXPENSE TEENAGER_ID TEENAGER_NAME 1 Raelene WHERE LS_TEENAGER IN (100, 200) 2 Jenna • EXPENSE TEENAGER DETAILS AMOUNT DATE LS_ _ID TEENAGER 1 Cell 45.00 Oct 1 100 1 Gum 1.35 Oct 6 100 2 Help Haiti 4.00 Oct 8 200 30
DBMS Triggers are used for INSERTs and UPDATEs • TEENAGER INSERT (TEENAGER_ID, DETAILS, AMOUNT, DATE) VALUES (2, TEENAGER_ID “Book Fine”, 1, Oct 16) TEENAGER_NAME 1 Raelene Oracle Label Security auto-generated a DBMS Trigger on the EXPENSE table. The trigger calculatesJenna 2 200 based on TEENAGER_ID • EXPENSE TEENAGER DETAILS AMOUNT DATE LS_ _ID TEENAGER 1 Cell 45.00 Oct 1 100 1 Gum 1.35 Oct 6 100 2 Help Haiti 4.00 Oct 8 200 2 Book Fine 1.00 Oct 16 Calculated by DBMS Trigger 31
Label Security can have up to 3 groupings TEENAGER _ID = 1 100 EXPENSE Younger _TYPE = Siblings 8 8,000 TEENAGER _ID = 2 200 Teenagers 770,000 Grandparents 32
Take a break … • A story about University … 33
Web Application Architecture 34
LDAP Oracle OAM & OID • LDAP = Lightweight Directory Access Protocol • Oracle Internet Directory is an implementation of directory services, LDAPv3 • Oracle Access Manager (OAM) enforces policies and works with OID • Watch out for your firewalls settings -- timeouts • Active Directory can “connect” • DIP transfers name and passwords 35
Oracle LDAP Components All the “green” servers support the LDAP responsibilities. Oracle Access Manager (OAM) is the main interface into the outside world. However, the “purple” Oracle Database has some direct connections with Oracle’s LDAP (OID), probably for performance reasons. In theory, the dashed lines below were not really necessary. The two columns of “green” servers indicate that they can be clustered, and the set of servers can be in different locations. 36
Web Application Architecture How the LDAP interacts with the Web Application Server? 37
Oracle LDAP Interfaces 38
Web Application Architecture 39
Simplified Web Application Architecture 40
Simplified Web Application Architecture • HTTP Server – Oracle’s MOD_OC4J • Web Application Container – Oracle’s OC4J … and soon WebLogic 41
Web Server interactions with LDAP The “Happy Path” … The Browser makes a HTTP Request, via interaction #1. The HTTP Server looks at this request and asks the LDAP Access services if this request is allowed to proceed. This is done via interaction #2. If the answer is positive, it passes on the request to the destination, via interaction #3. 42
Web Server interactions with LDAP The “Happy Path” continued … In this “Happy Path” scenario the user has already authenticated (i.e. logged in). Oracle can place authentication data in “HTTP Headers” and/or in some “cookies”. It gives information about the User ID, expiry time, etc. [Refer to interactions #1 & #3] 43
Web Server interactions with LDAP The “Happy Path” continued … The authorization rules are enforced in two different places: • Interaction #2 – Can protect basic requests, such as, URL requests that start with www.TeenagerExpenses.mb.ca/expenses • Interaction #4 – Using LDAP Queries, it can lookup more fine grained permissions such as: www.TeenagerExpenses.mb.ca/expenses/expense_details.jsp 44
Authorization and Role-based Security 45
Web Server interactions with LDAP The “Happy Path” continued … The authorization rules are enforced in two different places: • Interaction #2 – Basic requests based on OAM polices • Interaction #4 – Fine grained based on LDAP Queries / Role- based Security Decide which interaction is responsible for what, early in the project! 46
Authorization and Role-based Security User – Role – Feature • Can be tricky. Can’t control the number of users. But you can control the number of Roles and Features. • Roles – Configure Roles and role names to match the actual physical business processes – people need to understand them. Be ready to refactor! 47
Authorization and Role-based Security User – Role – Feature • Can be tricky. Can’t control the number of users. But you can control the number of Roles and Features. • Roles – Configure Roles and role names to match the actual physical business processes – people need to understand them. Be ready to refactor! 48
Authorization and Role-based Security • Features – Pick the number of features wisely, keep them to a minimum and understandable. Fine grained control Coarse grained control Complicated Simple • Ask questions! Find out what the real requirement is. “Are you sure?” “Can this one feature represent both the search and the detail page?” “How easy is it to test?” 49
Web Server interactions with LDAP The “Unhappy Path” … The “unhappy” path is one where the user has not logged in yet. The Web Application Container can have two applications: • The OAM Single-Sign On (SSO) “helper” application, which includes these pages: login, logout, and not authorized • The business application, such as the “expenses” test application 50
Web Server interactions with LDAP Log out … Your web applications will point to a logout page in the SSO application. It can (or should) invalidate the web applications under its protection. 51
Web Application Architecture The Report Server 52
Oracle BI Publisher Report Server • It has its own built-in security that doesn’t work directly with OAM – Read up on how to integrate them. 53
Web Application Architecture Database connections 54
Database Connections • Perform adequate performance tests on this interactions • Because we implemented a VPD at a low level, we want to ensure that the end-user will be restricted from the bottom up, and that means to connect as that user. • Experience: Can take up to 5 seconds to “stamp” a user onto a proxy connection. The solution is to make a connection pool for each user • Experience: The setup and use of Label Security is expensive • Alternatives?? 55
(If we have time …) 1. Creating a log of access – find out if one is needed early in the project 2. Web Analytics – find out if test users are needed in production, and what that means 3. Security on Web Services & Services (SOA) – again, find out if this extra layer needs its own gatekeeper of security 4. The need for Backend Reports with BI Publisher 5. Data Encryption in the Database 56
Web Application Security Using Oracle products as an example By: Jonathan Wagner, October 2011 jwagner@protegra.com 57

Recommandé

CUbRIK Research at CIKM 2012: Efficient Jaccard-based Diversity Analysis of L...
CUbRIK Research at CIKM 2012: Efficient Jaccard-based Diversity Analysis of L...CUbRIK Research at CIKM 2012: Efficient Jaccard-based Diversity Analysis of L...
CUbRIK Research at CIKM 2012: Efficient Jaccard-based Diversity Analysis of L...CUbRIK Project
 
Bai 50 he sinh thai
Bai 50 he sinh thaiBai 50 he sinh thai
Bai 50 he sinh thaiThao Nguyen
 
Sdec11.agile ina day
Sdec11.agile ina daySdec11.agile ina day
Sdec11.agile ina daysdeconf
 
D alpert ux102
D alpert ux102D alpert ux102
D alpert ux102sdeconf
 
A baryklo design-patterns
A baryklo design-patternsA baryklo design-patterns
A baryklo design-patternssdeconf
 
Friesens agile adoption
Friesens agile adoptionFriesens agile adoption
Friesens agile adoptionsdeconf
 
T bunio active-architecture
T bunio active-architectureT bunio active-architecture
T bunio active-architecturesdeconf
 
Capítulo 2 css
Capítulo 2 cssCapítulo 2 css
Capítulo 2 cssArturo Cruz
 

Recommandé

CUbRIK Research at CIKM 2012: Efficient Jaccard-based Diversity Analysis of L...
CUbRIK Research at CIKM 2012: Efficient Jaccard-based Diversity Analysis of L...CUbRIK Research at CIKM 2012: Efficient Jaccard-based Diversity Analysis of L...
CUbRIK Research at CIKM 2012: Efficient Jaccard-based Diversity Analysis of L...CUbRIK Project
 
Bai 50 he sinh thai
Bai 50 he sinh thaiBai 50 he sinh thai
Bai 50 he sinh thaiThao Nguyen
 
Sdec11.agile ina day
Sdec11.agile ina daySdec11.agile ina day
Sdec11.agile ina daysdeconf
 
D alpert ux102
D alpert ux102D alpert ux102
D alpert ux102sdeconf
 
A baryklo design-patterns
A baryklo design-patternsA baryklo design-patterns
A baryklo design-patternssdeconf
 
Friesens agile adoption
Friesens agile adoptionFriesens agile adoption
Friesens agile adoptionsdeconf
 
T bunio active-architecture
T bunio active-architectureT bunio active-architecture
T bunio active-architecturesdeconf
 
Capítulo 2 css
Capítulo 2 cssCapítulo 2 css
Capítulo 2 cssArturo Cruz
 
Ivanti Asset Discovery
Ivanti Asset DiscoveryIvanti Asset Discovery
Ivanti Asset DiscoveryIvanti
 
Asset Discovery: Opening Pandora's Box
Asset Discovery: Opening Pandora's BoxAsset Discovery: Opening Pandora's Box
Asset Discovery: Opening Pandora's BoxIvanti
 
Lecture 3_1 CharacteristicsOfBigData.pptx
Lecture 3_1 CharacteristicsOfBigData.pptxLecture 3_1 CharacteristicsOfBigData.pptx
Lecture 3_1 CharacteristicsOfBigData.pptxMOAZZAMALISATTI
 
Virtual Data : Eliminating the data constraint in Application Development
Virtual Data : Eliminating the data constraint in Application DevelopmentVirtual Data : Eliminating the data constraint in Application Development
Virtual Data : Eliminating the data constraint in Application DevelopmentKyle Hailey
 
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemUsing ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemAPNIC
 
Database Design Disasters
Database Design DisastersDatabase Design Disasters
Database Design DisastersRichie Rump
 
Obtén visibilidad completa y encuentra problemas de seguridad ocultos
Obtén visibilidad completa y encuentra problemas de seguridad ocultosObtén visibilidad completa y encuentra problemas de seguridad ocultos
Obtén visibilidad completa y encuentra problemas de seguridad ocultosElasticsearch
 
S rogalsky user-storymapping
S rogalsky user-storymappingS rogalsky user-storymapping
S rogalsky user-storymappingsdeconf
 
Sdec 2011 ux_agile_svt
Sdec 2011 ux_agile_svtSdec 2011 ux_agile_svt
Sdec 2011 ux_agile_svtsdeconf
 
Sdec 2011 ask_watchlisten_svt
Sdec 2011 ask_watchlisten_svtSdec 2011 ask_watchlisten_svt
Sdec 2011 ask_watchlisten_svtsdeconf
 
S bueckert sdecmobile
S bueckert sdecmobileS bueckert sdecmobile
S bueckert sdecmobilesdeconf
 
Ro r trilogy-part-1
Ro r trilogy-part-1Ro r trilogy-part-1
Ro r trilogy-part-1sdeconf
 
Rackforce the cloud
Rackforce the cloudRackforce the cloud
Rackforce the cloudsdeconf
 
Pscad agile adoption
Pscad agile adoptionPscad agile adoption
Pscad agile adoptionsdeconf
 
L phillips apm
L phillips apmL phillips apm
L phillips apmsdeconf
 
G meredith scala
G meredith scalaG meredith scala
G meredith scalasdeconf
 
Dan perron lim
Dan perron limDan perron lim
Dan perron limsdeconf
 
D alpert ux101
D alpert ux101D alpert ux101
D alpert ux101sdeconf
 
C maksymchuk android
C maksymchuk androidC maksymchuk android
C maksymchuk androidsdeconf
 
C fowler intro-azure
C fowler intro-azureC fowler intro-azure
C fowler intro-azuresdeconf
 
C fowler azure-dojo
C fowler azure-dojoC fowler azure-dojo
C fowler azure-dojosdeconf
 
Booked in agileadoption
Booked in agileadoptionBooked in agileadoption
Booked in agileadoptionsdeconf
 

Contenu connexe

Similaire à Web App Security Using Oracle Products

Ivanti Asset Discovery
Ivanti Asset DiscoveryIvanti Asset Discovery
Ivanti Asset DiscoveryIvanti
 
Asset Discovery: Opening Pandora's Box
Asset Discovery: Opening Pandora's BoxAsset Discovery: Opening Pandora's Box
Asset Discovery: Opening Pandora's BoxIvanti
 
Lecture 3_1 CharacteristicsOfBigData.pptx
Lecture 3_1 CharacteristicsOfBigData.pptxLecture 3_1 CharacteristicsOfBigData.pptx
Lecture 3_1 CharacteristicsOfBigData.pptxMOAZZAMALISATTI
 
Virtual Data : Eliminating the data constraint in Application Development
Virtual Data : Eliminating the data constraint in Application DevelopmentVirtual Data : Eliminating the data constraint in Application Development
Virtual Data : Eliminating the data constraint in Application DevelopmentKyle Hailey
 
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemUsing ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemAPNIC
 
Database Design Disasters
Database Design DisastersDatabase Design Disasters
Database Design DisastersRichie Rump
 
Obtén visibilidad completa y encuentra problemas de seguridad ocultos
Obtén visibilidad completa y encuentra problemas de seguridad ocultosObtén visibilidad completa y encuentra problemas de seguridad ocultos
Obtén visibilidad completa y encuentra problemas de seguridad ocultosElasticsearch
 

Similaire à Web App Security Using Oracle Products (7)

Ivanti Asset Discovery
Ivanti Asset DiscoveryIvanti Asset Discovery
Ivanti Asset Discovery
 
Asset Discovery: Opening Pandora's Box
Asset Discovery: Opening Pandora's BoxAsset Discovery: Opening Pandora's Box
Asset Discovery: Opening Pandora's Box
 
Lecture 3_1 CharacteristicsOfBigData.pptx
Lecture 3_1 CharacteristicsOfBigData.pptxLecture 3_1 CharacteristicsOfBigData.pptx
Lecture 3_1 CharacteristicsOfBigData.pptx
 
Virtual Data : Eliminating the data constraint in Application Development
Virtual Data : Eliminating the data constraint in Application DevelopmentVirtual Data : Eliminating the data constraint in Application Development
Virtual Data : Eliminating the data constraint in Application Development
 
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemUsing ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
 
Database Design Disasters
Database Design DisastersDatabase Design Disasters
Database Design Disasters
 
Obtén visibilidad completa y encuentra problemas de seguridad ocultos
Obtén visibilidad completa y encuentra problemas de seguridad ocultosObtén visibilidad completa y encuentra problemas de seguridad ocultos
Obtén visibilidad completa y encuentra problemas de seguridad ocultos
 

Plus de sdeconf

S rogalsky user-storymapping
S rogalsky user-storymappingS rogalsky user-storymapping
S rogalsky user-storymappingsdeconf
 
Sdec 2011 ux_agile_svt
Sdec 2011 ux_agile_svtSdec 2011 ux_agile_svt
Sdec 2011 ux_agile_svtsdeconf
 
Sdec 2011 ask_watchlisten_svt
Sdec 2011 ask_watchlisten_svtSdec 2011 ask_watchlisten_svt
Sdec 2011 ask_watchlisten_svtsdeconf
 
S bueckert sdecmobile
S bueckert sdecmobileS bueckert sdecmobile
S bueckert sdecmobilesdeconf
 
Ro r trilogy-part-1
Ro r trilogy-part-1Ro r trilogy-part-1
Ro r trilogy-part-1sdeconf
 
Rackforce the cloud
Rackforce the cloudRackforce the cloud
Rackforce the cloudsdeconf
 
Pscad agile adoption
Pscad agile adoptionPscad agile adoption
Pscad agile adoptionsdeconf
 
L phillips apm
L phillips apmL phillips apm
L phillips apmsdeconf
 
G meredith scala
G meredith scalaG meredith scala
G meredith scalasdeconf
 
Dan perron lim
Dan perron limDan perron lim
Dan perron limsdeconf
 
D alpert ux101
D alpert ux101D alpert ux101
D alpert ux101sdeconf
 
C maksymchuk android
C maksymchuk androidC maksymchuk android
C maksymchuk androidsdeconf
 
C fowler intro-azure
C fowler intro-azureC fowler intro-azure
C fowler intro-azuresdeconf
 
C fowler azure-dojo
C fowler azure-dojoC fowler azure-dojo
C fowler azure-dojosdeconf
 
Booked in agileadoption
Booked in agileadoptionBooked in agileadoption
Booked in agileadoptionsdeconf
 

Plus de sdeconf (15)

S rogalsky user-storymapping
S rogalsky user-storymappingS rogalsky user-storymapping
S rogalsky user-storymapping
 
Sdec 2011 ux_agile_svt
Sdec 2011 ux_agile_svtSdec 2011 ux_agile_svt
Sdec 2011 ux_agile_svt
 
Sdec 2011 ask_watchlisten_svt
Sdec 2011 ask_watchlisten_svtSdec 2011 ask_watchlisten_svt
Sdec 2011 ask_watchlisten_svt
 
S bueckert sdecmobile
S bueckert sdecmobileS bueckert sdecmobile
S bueckert sdecmobile
 
Ro r trilogy-part-1
Ro r trilogy-part-1Ro r trilogy-part-1
Ro r trilogy-part-1
 
Rackforce the cloud
Rackforce the cloudRackforce the cloud
Rackforce the cloud
 
Pscad agile adoption
Pscad agile adoptionPscad agile adoption
Pscad agile adoption
 
L phillips apm
L phillips apmL phillips apm
L phillips apm
 
G meredith scala
G meredith scalaG meredith scala
G meredith scala
 
Dan perron lim
Dan perron limDan perron lim
Dan perron lim
 
D alpert ux101
D alpert ux101D alpert ux101
D alpert ux101
 
C maksymchuk android
C maksymchuk androidC maksymchuk android
C maksymchuk android
 
C fowler intro-azure
C fowler intro-azureC fowler intro-azure
C fowler intro-azure
 
C fowler azure-dojo
C fowler azure-dojoC fowler azure-dojo
C fowler azure-dojo
 
Booked in agileadoption
Booked in agileadoptionBooked in agileadoption
Booked in agileadoption
 

Dernier

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 

Dernier (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 

Web App Security Using Oracle Products

  • 1. Web Application Security Using Oracle products as an example 1
  • 2. Syllabus • It seems that organizations are taking security more and more seriously these days. One motivator is avoiding embarrassment which can collapse the organization in a hurry. The architecture of a web based application has a number of complexities when it comes to implementing security properly. Jonathan will talk about some of these complexities and identify a number of considerations that can save you time and money. In particular, he will explain how the Oracle suite of products integrate and use that as a concrete example. Architects, developers, and DBAs will learn from topics such as virtual private databases, single sign on, cookies, Hibernate interactions, and role-based security. 2
  • 3. Setting the stage … • Who is in the audience? Which one are you? • Architect • Database Administrator (DBA) • Developer • Java • Other • Other • Goals: • General Understanding • Advice, related to Security in a web application • Drill-in into to some unobvious specifics • Questions? 3
  • 4. What’s the big deal? We have some challenges … • Technology is more susceptible and more complicated • unwanted system access • localized damage • global damage • how do decision makers respond to pain? ~~ rational thinking • Data (and Process) Ownership Trends • Silos  Sharing • Terminology confusion ~~ talk about the same thing: Einstein quote • Organizations  Products AND Services • Potential huge costs, time and $$$$ • Educate and then ask, are you sure? 4
  • 5. Legal stuff … • Legal questions can delay a project • submit questions early as possible • get feedback early as possible • legal requirements are hard and fast – know them early to avoid expensive rework 5
  • 6. LEAN Agile Manage Did someone say something about Security? 6
  • 8. Step 1 • www.TeenagerExpenses.mb.ca • Ask the Domain Name Server to provide a machine readable address, call an Internet Protocol (IP) Address 8
  • 10. Step 3 • Reverse Proxy (Oracle’s WebCache) • Guard at the door into the architecture • In the middle of the DMZ sandwich • Robust solutions include: • Caching of static “public” content (picture files, Javascript) • Load Balancing • Decryption of HTTPS requests … more on that later 10
  • 11. Step 4 • The Web Application Server is the brains with all the business logic --- it knows what to with the HTTP GET request 11
  • 12. Step 5 • The server needs to first get a list of teenagers, and so, get it from the server responsible for persisting information 12
  • 13. Step 6 • Teenager Result Set: • Raelene • Jenna 13
  • 14. Step 7 • Let’s send HTTP Response of HTML: <Label>Teenager Name:</Label> <SelectionBox> <Selection>Raelene</Selection> <Selection>Jenna</Selection> … 14
  • 15. Step 8 15
  • 16. Step 9 16
  • 19. Audit Columns • Every table in the database include the following columns: • A_CREATED_BY • A_CREATED_TIMESTAMP • A_MODIFIED_BY • A_MODIFIED_TIMESTAMP • Know the affects of the Sarbanes-Oxley act • Create a companion history table for every table in the database. It will be a complete history of “snapshots”. These tables have the exact same columns plus a timestamp column. (Data is almost free!) 19
  • 20. Web Application Architecture We now going to concentrate on the Database. Will talk about: • Virtual Private Databases • Oracle Label Security 20
  • 21. Database Tables • TEENAGER TEENAGER_ID TEENAGER_NAME 1 Raelene 2 Jenna • EXPENSE TEENAGER DETAILS AMOUNT DATE _ID 1 Cell 45.00 Oct 1 1 Gum 1.35 Oct 6 2 Help Haiti 4.00 Oct 8 21
  • 22. Raelene is allowed to see this … • TEENAGER TEENAGER_ID TEENAGER_NAME 1 Raelene 2 Jenna • EXPENSE TEENAGER DETAILS AMOUNT DATE _ID 1 Cell 45.00 Oct 1 1 Gum 1.35 Oct 6 2 Help Haiti 4.00 Oct 8 22
  • 23. Jenna is allowed to see this … • TEENAGER TEENAGER_ID TEENAGER_NAME 1 Raelene 2 Jenna • EXPENSE TEENAGER DETAILS AMOUNT DATE _ID 1 Cell 45.00 Oct 1 1 Gum 1.35 Oct 6 2 Help Haiti 4.00 Oct 8 23
  • 24. A VPD • A Virtual Private Database (VPD) = restricts access on horizontal slices • Oracle Label Security is an implementation of a VPD 24
  • 25. Who can view/edit what data? • Label Security allows you to create a policy on the TEENAGER_ID TEENAGER _ID = 1 100 (Raelene) Raelene Parents TEENAGER (God-like access) _ID = 2 (Jenna) 200 Jenna 25
  • 26. Database Tables with Label Security column added … • TEENAGER TEENAGER_ID TEENAGER_NAME 1 Raelene 2 Jenna • EXPENSE TEENAGER DETAILS AMOUNT DATE LS_ _ID TEENAGER 1 Cell 45.00 Oct 1 100 1 Gum 1.35 Oct 6 100 2 Help Haiti 4.00 Oct 8 200 26
  • 27. Jenna will get a different answer than Raelene and the Parents! • TEENAGER SELECT sum(amount) FROM EXPENSE TEENAGER_ID TEENAGER_NAME 1 Raelene 2 Jenna • EXPENSE TEENAGER DETAILS AMOUNT DATE LS_ _ID TEENAGER 1 Cell 45.00 Oct 1 100 1 Gum 1.35 Oct 6 100 2 Help Haiti 4.00 Oct 8 200 27
  • 28. Jenna will get a different answer than Raelene and the Parents! • TEENAGER SELECT sum(amount) FROM EXPENSE TEENAGER_ID TEENAGER_NAME 1 Raelene WHERE LS_TEENAGER IN (100) 2 Jenna • EXPENSE TEENAGER DETAILS AMOUNT DATE LS_ _ID TEENAGER 1 Cell 45.00 Oct 1 100 1 Gum 1.35 Oct 6 100 2 Help Haiti 4.00 Oct 8 200 28
  • 29. Parents type in … • TEENAGER SELECT sum(amount) FROM EXPENSE TEENAGER_ID TEENAGER_NAME 1 Raelene 2 Jenna • EXPENSE TEENAGER DETAILS AMOUNT DATE LS_ _ID TEENAGER 1 Cell 45.00 Oct 1 100 1 Gum 1.35 Oct 6 100 2 Help Haiti 4.00 Oct 8 200 29
  • 30. … and this what happens under the covers: • TEENAGER SELECT sum(amount) FROM EXPENSE TEENAGER_ID TEENAGER_NAME 1 Raelene WHERE LS_TEENAGER IN (100, 200) 2 Jenna • EXPENSE TEENAGER DETAILS AMOUNT DATE LS_ _ID TEENAGER 1 Cell 45.00 Oct 1 100 1 Gum 1.35 Oct 6 100 2 Help Haiti 4.00 Oct 8 200 30
  • 31. DBMS Triggers are used for INSERTs and UPDATEs • TEENAGER INSERT (TEENAGER_ID, DETAILS, AMOUNT, DATE) VALUES (2, TEENAGER_ID “Book Fine”, 1, Oct 16) TEENAGER_NAME 1 Raelene Oracle Label Security auto-generated a DBMS Trigger on the EXPENSE table. The trigger calculatesJenna 2 200 based on TEENAGER_ID • EXPENSE TEENAGER DETAILS AMOUNT DATE LS_ _ID TEENAGER 1 Cell 45.00 Oct 1 100 1 Gum 1.35 Oct 6 100 2 Help Haiti 4.00 Oct 8 200 2 Book Fine 1.00 Oct 16 Calculated by DBMS Trigger 31
  • 32. Label Security can have up to 3 groupings TEENAGER _ID = 1 100 EXPENSE Younger _TYPE = Siblings 8 8,000 TEENAGER _ID = 2 200 Teenagers 770,000 Grandparents 32
  • 33. Take a break … • A story about University … 33
  • 35. LDAP Oracle OAM & OID • LDAP = Lightweight Directory Access Protocol • Oracle Internet Directory is an implementation of directory services, LDAPv3 • Oracle Access Manager (OAM) enforces policies and works with OID • Watch out for your firewalls settings -- timeouts • Active Directory can “connect” • DIP transfers name and passwords 35
  • 36. Oracle LDAP Components All the “green” servers support the LDAP responsibilities. Oracle Access Manager (OAM) is the main interface into the outside world. However, the “purple” Oracle Database has some direct connections with Oracle’s LDAP (OID), probably for performance reasons. In theory, the dashed lines below were not really necessary. The two columns of “green” servers indicate that they can be clustered, and the set of servers can be in different locations. 36
  • 37. Web Application Architecture How the LDAP interacts with the Web Application Server? 37
  • 40. Simplified Web Application Architecture 40
  • 41. Simplified Web Application Architecture • HTTP Server – Oracle’s MOD_OC4J • Web Application Container – Oracle’s OC4J … and soon WebLogic 41
  • 42. Web Server interactions with LDAP The “Happy Path” … The Browser makes a HTTP Request, via interaction #1. The HTTP Server looks at this request and asks the LDAP Access services if this request is allowed to proceed. This is done via interaction #2. If the answer is positive, it passes on the request to the destination, via interaction #3. 42
  • 43. Web Server interactions with LDAP The “Happy Path” continued … In this “Happy Path” scenario the user has already authenticated (i.e. logged in). Oracle can place authentication data in “HTTP Headers” and/or in some “cookies”. It gives information about the User ID, expiry time, etc. [Refer to interactions #1 & #3] 43
  • 44. Web Server interactions with LDAP The “Happy Path” continued … The authorization rules are enforced in two different places: • Interaction #2 – Can protect basic requests, such as, URL requests that start with www.TeenagerExpenses.mb.ca/expenses • Interaction #4 – Using LDAP Queries, it can lookup more fine grained permissions such as: www.TeenagerExpenses.mb.ca/expenses/expense_details.jsp 44
  • 46. Web Server interactions with LDAP The “Happy Path” continued … The authorization rules are enforced in two different places: • Interaction #2 – Basic requests based on OAM polices • Interaction #4 – Fine grained based on LDAP Queries / Role- based Security Decide which interaction is responsible for what, early in the project! 46
  • 47. Authorization and Role-based Security User – Role – Feature • Can be tricky. Can’t control the number of users. But you can control the number of Roles and Features. • Roles – Configure Roles and role names to match the actual physical business processes – people need to understand them. Be ready to refactor! 47
  • 48. Authorization and Role-based Security User – Role – Feature • Can be tricky. Can’t control the number of users. But you can control the number of Roles and Features. • Roles – Configure Roles and role names to match the actual physical business processes – people need to understand them. Be ready to refactor! 48
  • 49. Authorization and Role-based Security • Features – Pick the number of features wisely, keep them to a minimum and understandable. Fine grained control Coarse grained control Complicated Simple • Ask questions! Find out what the real requirement is. “Are you sure?” “Can this one feature represent both the search and the detail page?” “How easy is it to test?” 49
  • 50. Web Server interactions with LDAP The “Unhappy Path” … The “unhappy” path is one where the user has not logged in yet. The Web Application Container can have two applications: • The OAM Single-Sign On (SSO) “helper” application, which includes these pages: login, logout, and not authorized • The business application, such as the “expenses” test application 50
  • 51. Web Server interactions with LDAP Log out … Your web applications will point to a logout page in the SSO application. It can (or should) invalidate the web applications under its protection. 51
  • 52. Web Application Architecture The Report Server 52
  • 53. Oracle BI Publisher Report Server • It has its own built-in security that doesn’t work directly with OAM – Read up on how to integrate them. 53
  • 54. Web Application Architecture Database connections 54
  • 55. Database Connections • Perform adequate performance tests on this interactions • Because we implemented a VPD at a low level, we want to ensure that the end-user will be restricted from the bottom up, and that means to connect as that user. • Experience: Can take up to 5 seconds to “stamp” a user onto a proxy connection. The solution is to make a connection pool for each user • Experience: The setup and use of Label Security is expensive • Alternatives?? 55
  • 56. (If we have time …) 1. Creating a log of access – find out if one is needed early in the project 2. Web Analytics – find out if test users are needed in production, and what that means 3. Security on Web Services & Services (SOA) – again, find out if this extra layer needs its own gatekeeper of security 4. The need for Backend Reports with BI Publisher 5. Data Encryption in the Database 56
  • 57. Web Application Security Using Oracle products as an example By: Jonathan Wagner, October 2011 jwagner@protegra.com 57